Jump to content
Szhlopp

Memory UDF

Recommended Posts

=sinister=

Hrm, ok well I usually mess around with CE with WoW, and I always find non static addresses that I have to find a pointer for, but I always find on another site the "Player Address" (Which is a address that contains all player data) plus its offset, and I could never find out how to find either of them =\. I always tend to have to do things the hard way when it comes to memory editing.

Share this post


Link to post
Share on other sites
MasterX

I tried this.

#include<NomadMemory.au3>
#include<MemoryGetBaseAddressUDF.au3>
$ID=_MemoryOpen(ProcessExists("Client.exe"))
$pid = ProcessExists("Client.exe")
$Offset = Dec("00466BBC")
$openmem = _MemoryOpen($pid)
$baseADDR = _MemoryGetBaseAddress($openmem, 1)
$FinalStatic = "0x" & Hex($baseADDR + $Offset)
MsgBox(0,"",$FinalStatic)
$read=_memoryread($finalstatic,$openmem)
MsgBox(0,"",$read)
_MemoryClose($ID)

But it returned a false adress :/

Share this post


Link to post
Share on other sites
ZokNy

"Library.dll+offset" solution:

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc

Feel free to include!

Based on ModuleSpy from wraithdu.

Share this post


Link to post
Share on other sites
Szhlopp

"Library.dll+offset" solution:

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc

Feel free to include!

Based on ModuleSpy from wraithdu.

Sweet!!! Great job!

I'm going to test this fairly soon here. If it works I would gladly add this in!

Share this post


Link to post
Share on other sites
socal

OK did the tutorial on finding the mulitple level pointers, now I have no idea how to use them. Anyone who can shed some light?

[[[[0x02A48048]+0xC]+0x10]+0x14]+0x70 (that's what I got).

Share this post


Link to post
Share on other sites
socal

Disregard the above, I sorted it out.

Share this post


Link to post
Share on other sites
TomCat

can someone give me an excample how to use _MemoryModuleGetBaseAddress please I tried this:

$iPID = WinGetProcess("Test")

$sModule = ("test.dll+1A128")

$baseADDR = _MemoryModuleGetBaseAddress($iPID, $sModule)

but it doesnt work :P

Share this post


Link to post
Share on other sites
ZokNy

Use the func from #23.

Then try this:

$iPID = WinGetProcess("Test")
$sModule = "test.dll"
$iOffset = 0x1A128
$baseADDR = _MemoryModuleGetBaseAddress($iPID, $sModule) + $iOffset

Share this post


Link to post
Share on other sites
TomCat

Tnx for the answer :D I tryed it but u get a wrong adress :o

Any Idea why ?

Share this post


Link to post
Share on other sites
ynbIpb

Maybe somebody will show how to use it in Lineage 2, for example, to find HP \ MP (naturally Game Guard will be turned off)

Thank you.

Share this post


Link to post
Share on other sites
avati

After many tests with cheat engine this function DOES NOT work ... If you open a process with cheat engine and after you press memory view, on AlocationBase you see the correct address.

That address is different for each process , but using GetBaseAddress function from autoit you took for all exes the same address.

Usually 0x00400000 or for games 0x00350000

Any ideas why this happens ????

Share this post


Link to post
Share on other sites
hot202

i dont understand how to add this .dll thing can some 1 show a example please?

Share this post


Link to post
Share on other sites
hot202

hey can some 1 help me? shouldnt this work? but it dont can some 1 tell me what i have done wrong?

Engine.exe is the process name

Address is 08FE965C

and its a static with cshell.dll+48965C

#include <NomadMemory.au3>
 #include <GUIConstants.au3>
 #include <GUIListBox.au3>
 #include <Misc.au3>
 #include <Array.au3>
 HotKeySet("{F2}","poke")
 
 
 Func poke()
$ID=_MemoryOpen(ProcessExists("Engine.exe"))
$iPID = WinGetProcess("cshell")
$sModule = "cshell.dll"
$iOffset = 0x48965C
$baseADDR = _MemoryModuleGetBaseAddress($iPID, $sModule) + $iOffset
 _MemoryWrite($BaseADDR, $ID, 550)
 _MemoryClose($iPID)
 EndFunc 
 
 While 1
     sleep(1000)
 WEnd
 
 
 
 Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc

Share this post


Link to post
Share on other sites
Greek

_MemoryModuleGetBaseAddress

n1 work, need it for prototype, works create :)

and thx for _MemoryGetBaseAddress too of course :)

Share this post


Link to post
Share on other sites
v22

update: Thanks to avati for clarifiyng that the code doesn't work, post reported to mods as useless.

Allow me to start with stating that i'm a complete utter-n00b when it comes to coding;

Thanks for the effort on trying to simplify the whole memory reading thing, gives me headache and imho not only me;

OP, could you please point me to the field where I paste Game.dll+000B298C and get the real address ? Since I wasn't able to find such a variable, although this ability is advertised.

thanks!

Edited by v22

Share this post


Link to post
Share on other sites
v22

"Library.dll+offset" solution:

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
    If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
    
    If Not IsString($sModule) Then Return SetError(2, 0, 0)
    
    Local   $PSAPI = DllOpen("psapi.dll")
    
    ;Get Process Handle
    Local   $hProcess
    Local   $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE
    
    If $iPID > 0 Then
        Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
        If $hProcess[0] Then
            $hProcess = $hProcess[0]
        EndIf
    EndIf
    
    ;EnumProcessModules
    Local   $Modules = DllStructCreate("ptr[1024]")
    Local   $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
    If $aCall[4] > 0 Then
        Local   $iModnum = $aCall[4] / 4
        Local   $aTemp
        For $i = 1 To $iModnum
            $aTemp =  DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
            If $aTemp[3] = $sModule Then
                DllClose($PSAPI)
                Return Ptr(DllStructGetData($Modules, 1, $i))
            EndIf
        Next
    EndIf
    
    DllClose($PSAPI)
    Return SetError(-1, 0, 0)
    
EndFunc

Feel free to include!

Based on ModuleSpy from wraithdu.

always returns "0"

Share this post


Link to post
Share on other sites
Szhlopp

update: Thanks to avati for clarifiyng that the code doesn't work, post reported to mods as useless.

Allow me to start with stating that i'm a complete utter-n00b when it comes to coding;

Thanks for the effort on trying to simplify the whole memory reading thing, gives me headache and imho not only me;

OP, could you please point me to the field where I paste Game.dll+000B298C and get the real address ? Since I wasn't able to find such a variable, although this ability is advertised.

thanks!

This DOES work. Let me explain Avati's post...

When you see the AllocationBase in CE, it's FOR that memory section. So yes, they don't always match, but it doesn't matter, as this provides you with the one you need. If for some reason it doesn't return the right value(I've seen it twice in all the things I've hacked), edit the IV_start address or whatever it's called. Should be like 0x00100000, change it to 0x00500000. But as I said, that shouldn't be nescessary.

If ANYONE is having problems reading the address, use my function http://www.autoitscript.com/forum/index.php?showtopic=99631

Sorry I've been gone for 5 months. So I having been on at all=)

Share this post


Link to post
Share on other sites
Chaki

it's FOR that memory section.

Before I start studying your script, I would like to know if I'm just going to waste my time.

It is my understanding that both Dynamic and Static addresses are called pointers, because they point to a different address, which is inside the Memory Viewer.

What I'm trying to do is read the value of that address that is found inside the Memory Viewer.

Can your script do that? Or does your script only deal with static addresses?

Edited by Chaki

Share this post


Link to post
Share on other sites
XxShadowxX

You probably shouldn't have revived this thread.

Anyhow, finding the base address is only useful for static addresses.

Share this post


Link to post
Share on other sites
Opeth

Sorry to dig up a old thread. but is their anyway to use this with windows 7? I keep getting Failed to find correct allocation address which is error state 2. A shot of code below.. thanks! this code is working in windows XP just not W7

$BaseAddress = _MemoryGetBaseAddress($hMemory, 1)
   If $BaseAddress = 0 Then
      Select
         Case @error = 1
            MsgBox(0, "Error", "Error getting base address: " & @CRLF & "Invalid handle to open process")
         Case @error = 2
            MsgBox(0, "Error", "Error getting base address: " & @CRLF & "Failed to find correct allocation address")
         Case @error = 3
            MsgBox(0, "Error", "Error getting base address: " & @CRLF & "Failed to read from the specified process")
      EndSelect
   EndIf
Edited by Opeth

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×